Skip to main content

Linux Kernel CVE-2026-53298

| EUVDEUVD-2026-39833 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-26 Linux GHSA-qvrw-vpg6-fx6m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required; pure availability impact via kernel crash; no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 03:53 vuln.today
CVSS changed
Jul 08, 2026 - 03:52 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()

If queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a NULL pointer dereference running netif_napi_del() for RX queue NAPIs since netif_napi_add() has never been executed to this particular RX NAPI. The issue is due to the early ndesc initialization in airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc value to check if the queue is properly initialized. Fix the issue moving ndesc initialization at end of airoha_qdma_init_tx routine. Move page_pool allocation after descriptor list allocation in order to avoid memory leaks if desc allocation fails.

AnalysisAI

NULL pointer dereference in the Linux kernel's airoha QDMA network driver crashes the kernel when RX queue initialization fails mid-way through allocation. The flaw exists in airoha_qdma_init_rx_queue() where early ndesc initialization causes the cleanup routine to call netif_napi_del() on NAPI structures never registered via netif_napi_add(), dereferencing a null pointer and causing a local denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain low-privilege local access
Delivery
Identify Airoha QDMA hardware present
Exploit
Apply memory pressure to exhaust allocations
Install
Trigger driver re-initialization or load
C2
Allocation failure hits error path
Execute
NULL pointer dereference in cleanup
Impact
Kernel panic (DoS)

Vulnerability AssessmentAI

Exploitation Three conditions must all be met simultaneously: (1) the target system must have Airoha QDMA-based network hardware with the airoha kernel driver loaded - systems without this hardware are completely unaffected regardless of kernel version; (2) the attacker must have local system access with at least low-level privileges (PR:L per CVSS); (3) a memory allocation failure must occur specifically during airoha_qdma_init_rx_queue() for either the queue entry array or the DMA descriptor list - this is an error path condition, not the normal execution path, requiring either natural memory exhaustion or deliberate memory pressure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is consistent with the described impact: local access with low privileges can trigger a kernel availability impact (crash) with no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with low-privilege access on a device using Airoha QDMA-based networking hardware - such as certain MediaTek-based routers or embedded Linux platforms - applies memory pressure to exhaust available memory, then triggers reinitializion of the airoha network interface. The allocation failure in airoha_qdma_init_rx_queue() invokes cleanup before NAPI registration, dereferencing a null pointer and crashing the kernel. …
Remediation Upstream fix available via kernel stable git at https://git.kernel.org/stable/c/d36be272adda7f313e39dd118086955d993bf6a7, https://git.kernel.org/stable/c/4d4acfa348a1d8c0941004823662ede0fdb5dea5, https://git.kernel.org/stable/c/14dc48e5ba73d5c69559bf1a1a6884f7843aade7, and https://git.kernel.org/stable/c/379050947a1828826ad7ea50c95245a56929b35a. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy